Benedict Verheyen <[EMAIL PROTECTED]> writes: > Today i read that Slackware doesn't use PAM by default because of > some of the leaks that pop up now and then. I was wondering what > other type of authentications there are on Linux and how > easy/difficult they are to set up.
The basic answer here is pretty much either "PAM" or "not"; in the "not" case, individual programs generally ask for a password and verify it against what's in /etc/shadow. > For instance, if i would now like to change the way users are > authenticated, how would i do that. In Debian, you'd find a PAM module for the authentication method you cared about, install it, and put an appropriate reference in the appropriate /etc/pam.d file(s). Otherwise, "change the source". > What methods are good for providing 1 central repository of > authentication stuff os that you don't need to spread around passwords > and thus end up with having to change several sources when a user is > deleted for instance. I think both Kerberos and RADIUS are "single sign-on" protocols: when you log on you get some sort of authentication token, which you can use to talk to other services without typing a password. I know much more about Kerberos, so I'll talk about that. I think it should be possible using only what's included in Debian to assemble infrastructure that gets Kerberos tickets on login (via PAM), and then you have mail services (Kerberos/SASL IMAP), a filesystem (OpenAFS), and passwordless ssh (ssh-krb5). User passwords are only stored one place (the Kerberos KDC), and once they've logged in they never need to type their password again. Even given this, you still need some way of distributing the (public) information in /etc/passwd. I think LDAP is good for this. -- David Maze [EMAIL PROTECTED] http://people.debian.org/~dmaze/ "Theoretical politics is interesting. Politicking should be illegal." -- Abra Mitchell -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
